Galois Fields and Hardware Design

Similar documents
Intro to Rings, Fields, Polynomials: Hardware Modeling by Modulo Arithmetic

Computer Algebra for Computer Engineers

Chapter 4 Finite Fields

Projection of Varieties and Elimination Ideals

Mathematical Foundations of Cryptography

A field F is a set of numbers that includes the two numbers 0 and 1 and satisfies the properties:

Section VI.33. Finite Fields

Finite Fields. SOLUTIONS Network Coding - Prof. Frank H.P. Fitzek

Public-key Cryptography: Theory and Practice

EFFICIENT GRÖBNER BASIS REDUCTIONS FOR FORMAL VERIFICATION OF GALOIS FIELD ARITHMETIC CIRCUITS

Finite Fields. Mike Reiter

COMPUTER ARITHMETIC. 13/05/2010 cryptography - math background pp. 1 / 162

Chapter 4 Mathematics of Cryptography

Galois fields/1. (M3) There is an element 1 (not equal to 0) such that a 1 = a for all a.

Elementary Algebra Chinese Remainder Theorem Euclidean Algorithm

Outline. Number Theory and Modular Arithmetic. p-1. Definition: Modular equivalence a b [mod n] (a mod n) = (b mod n) n (a-b)

LECTURE NOTES IN CRYPTOGRAPHY

Practice problems for first midterm, Spring 98

0 Sets and Induction. Sets

Numbers. Çetin Kaya Koç Winter / 18

Rings. Chapter 1. Definition 1.2. A commutative ring R is a ring in which multiplication is commutative. That is, ab = ba for all a, b R.

GF(2 m ) arithmetic: summary

1 Rings 1 RINGS 1. Theorem 1.1 (Substitution Principle). Let ϕ : R R be a ring homomorphism

Polynomials. Chapter 4

Information Theory. Lecture 7

Congruences and Residue Class Rings

Section 33 Finite fields

Math 4310 Solutions to homework 7 Due 10/27/16

Basic elements of number theory

Basic elements of number theory

17 Galois Fields Introduction Primitive Elements Roots of Polynomials... 8

Chapter 4. Remember: F will always stand for a field.

Basic Concepts in Number Theory and Finite Fields

Lecture 7: Polynomial rings

Part IX. Factorization

Homework 8 Solutions to Selected Problems

Chapter 3. Rings. The basic commutative rings in mathematics are the integers Z, the. Examples

Lecture Notes. Advanced Discrete Structures COT S

Factorization in Polynomial Rings

CDM. Finite Fields. Klaus Sutner Carnegie Mellon University. Fall 2018

Groups, Rings, and Finite Fields. Andreas Klappenecker. September 12, 2002

Further linear algebra. Chapter II. Polynomials.

Mathematical Olympiad Training Polynomials

1. multiplication is commutative and associative;

Fields in Cryptography. Çetin Kaya Koç Winter / 30

2. THE EUCLIDEAN ALGORITHM More ring essentials

Finite Fields. Saravanan Vijayakumaran Department of Electrical Engineering Indian Institute of Technology Bombay

Finite Fields and Error-Correcting Codes

4 Powers of an Element; Cyclic Groups

2a 2 4ac), provided there is an element r in our

Introduction to Cryptology. Lecture 19

Introduction to finite fields

Applied Cryptography and Computer Security CSE 664 Spring 2018

Math 4320 Final Exam

MATH 3030, Abstract Algebra Winter 2012 Toby Kenney Sample Midterm Examination Model Solutions

Equivalence Verification of Large Galois Field Arithmetic Circuits using Word-Level Abstraction via Gröbner Bases

ALGEBRA. 1. Some elementary number theory 1.1. Primes and divisibility. We denote the collection of integers

CS250: Discrete Math for Computer Science

Abstract Algebra, Second Edition, by John A. Beachy and William D. Blair. Corrections and clarifications

Class Notes; Week 7, 2/26/2016

1. Algebra 1.5. Polynomial Rings

ECEN 5022 Cryptography

EE 229B ERROR CONTROL CODING Spring 2005

COMMUTATIVE RINGS. Definition 3: A domain is a commutative ring R that satisfies the cancellation law for multiplication:

Polynomial Review Problems

Introduction to Information Security

D-MATH Algebra I HS18 Prof. Rahul Pandharipande. Solution 6. Unique Factorization Domains

Coding Theory ( Mathematical Background I)

CSIR - Algebra Problems

Section III.6. Factorization in Polynomial Rings

ALGEBRAIC GROUPS. Disclaimer: There are millions of errors in these notes!

Galois Field Algebra and RAID6. By David Jacob

Course 2316 Sample Paper 1

Lecture Notes Math 371: Algebra (Fall 2006) by Nathanael Leedom Ackerman

Math 312/ AMS 351 (Fall 17) Sample Questions for Final

RINGS: SUMMARY OF MATERIAL

A. Algebra and Number Theory

Chapter 5. Modular arithmetic. 5.1 The modular ring

MATH 115, SUMMER 2012 LECTURE 4 THURSDAY, JUNE 21ST

CHAPTER I. Rings. Definition A ring R is a set with two binary operations, addition + and

NUMBER THEORY. Anwitaman DATTA SCSE, NTU Singapore CX4024. CRYPTOGRAPHY & NETWORK SECURITY 2018, Anwitaman DATTA

9. Integral Ring Extensions

Ma/CS 6a Class 2: Congruences

2 ALGEBRA II. Contents

2 (17) Find non-trivial left and right ideals of the ring of 22 matrices over R. Show that there are no nontrivial two sided ideals. (18) State and pr

Elliptic Curves I. The first three sections introduce and explain the properties of elliptic curves.

Mathematics for Cryptography

NOTES ON FINITE FIELDS

3.4. ZEROS OF POLYNOMIAL FUNCTIONS

Groups in Cryptography. Çetin Kaya Koç Winter / 13

EECS Components and Design Techniques for Digital Systems. Lec 26 CRCs, LFSRs (and a little power)

3 The fundamentals: Algorithms, the integers, and matrices

Math Circle Beginners Group February 28, 2016 Euclid and Prime Numbers Solutions

LECTURE 5, FRIDAY

Ma/CS 6a Class 2: Congruences

Reducing the Complexity of Normal Basis Multiplication

Math 120 HW 9 Solutions

Number Theory. Modular Arithmetic

Finite Fields: An introduction through exercises Jonathan Buss Spring 2014

Section X.55. Cyclotomic Extensions

Transcription:

Galois Fields and Hardware Design Construction of Galois Fields, Basic Properties, Uniqueness, Containment, Closure, Polynomial Functions over Galois Fields Priyank Kalla Associate Professor Electrical and Computer Engineering, University of Utah kalla@ece.utah.edu http://www.ece.utah.edu/~kalla

Agenda Introduction to Field Construction Constructing F 2 k and its elements Addition, multiplication and inverses over GFs Conjugates and their minimal polynomials GF containment and algebraic closure Hardware design over GFs

Integral and Euclidean Domains Definition An integral domain R is a set with two operations (+, ) such that: 1 The elements of R form an abelian group under + with additive identity 0. 2 The multiplication is associative and commutative, with multiplicative identity 1. 3 The distributive law holds: a(b +c) = ab+ac. 4 The cancellation law holds: if ab = ac and a 0, then b = c. Examples: Z,R,Q,C,Z p,f[x],f[x,y]. Finite rings Z n,n p are not integral domains.

Euclidean Domains Definition A Euclidean domain D is an integral domain where: 1 associated with each non-zero element a D is a non-negative integer f(a) s.t. f(a) f(ab) if b 0; and 2 a,b (b 0), (q,r) s.t. a = qb +r, where either r = 0 or f(r) < f(b). Can apply the Euclid s algorithm to compute g = GCD(g 1,...,g t ) GCD(a,b,c) = GCD(GCD(a,b),c) Then g = i u ig i, i.e. GCD can be represented as a linear combination of the elements

Euclid s Algorithm Inputs: Elements a, b D, a Euclidean domain Outputs: g = GCD(a, b) 1: Assume a > b, otherwise swap a,b {/* GCD(a, 0) = a */} 2: while b 0 do 3: t := b 4: b := a (mod b) 5: a := t 6: end while 7: return g := a Algorithm 1: Euclid s Algorithm

GCD(84, 54) = 6 84 = 1 54+30 54 = 1 30+24 30 = 1 24+6 24 = 4 6+0 Lemma If g = gcd(a,b) then s,t such that s a+t b = g. Unroll Euclid s algorithm to find s, t. A HW assignment!

Euclidean Domains D = Z,R,Q,C,Z p The ring F[x] is a Euclidean domain where F is any field The ring R = F[x,y] is NOT a Euclidean domain where F is any field For x,y R,GCD(x,y) = 1, but cannot write 1 = f 1 (x,y) x +f 2 (x,y)y Z 2 k is neither and integral domain not a Euclidean domain

Fields Definition Let D be a Euclidean domain, and p D be a prime element. Then D (mod p) is a field. That is why Z (mod p) is a field In R[x],x 2 +1 is a prime actually called an irreducible polynomial So R[x] (mod x 2 +1) is a field and is the field of complex numbers C R[x] (mod p) = {f(x) g(x) R[x],f(x) = g(x) (mod p)}

R[x] (mod x 2 +1) = C Let f,g R[x] (mod x 2 +1) f = remainder of division by x 2 +1, it is linear Let f = ax +b, g = cx +d f g = (ax +b)(cx +d) (mod x 2 +1) = acx 2 +(ad +bc)x +bd (mod x 2 +1) = (ad +bc)x +(bd ac) after reducing by x 2 = 1 Replace x with i = 1, and we get C C is a 2 (=degree(x 2 +1)) dimensional extension of R Intuitively, that is why C R (containment and closure)

Recall from my previous slides: From Rings to Fields Rings Integral Domains Unique Factorization Domains Euclidean Domains Fields Now you know the reason for this containment

Construct Galois Extension Fields F p [x] is a Euclidean domain, let P(x) be irreducible over F p, and let degree of P(x) = k F p [x] (mod P(x)) = F p k, a finite field of p k elements Denote GFs as F q, q = p k for prime p and k 1 F p k is a k-dimensional extension of F p, so F p F p k Our interest F 2 k = F 2 [x] (mod P(x)) where P(x) F 2 [x] is a degree-k irreducible polynomial

Study F 2 k Irreducible polynomials of any degree k always exist over F 2, so F 2 k can be constructed for arbitrary k 1 Table: Some irreducible polynomials in F 2 [x]. Degree Irreducible Polynomials 1 x;x +1 2 x 2 +x +1 3 x 3 +x +1;x 3 +x 2 +1 4 x 4 +x +1;x 4 +x 3 +1;x 4 +x 3 +x 2 +x +1

F 2 k = F 2 [x] (mod P(x)), let α be a root of P(x), i.e. P(α) = 0 P(x) has no roots in F 2 (irreducible); root lies in its algebraic extension F 2 k Any element A F 2 k: A = k 1 i=0 (a i α i ) = a 0 +a 1 α+ +a k 1 α k 1 where a i F 2 The degree of A < k Think of A = {a k 1,...,a 0 } as a bit-vector

Example of F 16 F 2 4 as F 2 [x] (mod P(x)), where P(x) = x 4 +x 3 +1, P(α) = 0 Any element A F 16 = a 3 α 3 +a 2 α 2 +a 1 α+a 0 (degree < 4) Table: Bit-vector, Exponential and Polynomial representation of elements in F 2 4 = F 2 [x] (mod x 4 +x 3 +1) a 3 a 2 a 1 a 0 Expo Poly a 3 a 2 a 1 a 0 Expo Poly 0000 0 0 1000 α 3 α 3 0001 1 1 1001 α 4 α 3 +1 0010 α α 1010 α 10 α 3 +α 0011 α 12 α+1 1011 α 5 α 3 +α+1 0100 α 2 α 2 1100 α 14 α 3 +α 2 0101 α 9 α 2 +1 1101 α 11 α 3 +α 2 +1 0110 α 13 α 2 +α 1110 α 8 α 3 +α 2 +α 0111 α 7 α 2 +α+1 1111 α 6 α 3 +α 2 +α+1

Add, Mult in F 2 k Definition The characteristic of a finite field F q with unity element 1 is the smallest integer n such that 1+ +1 (n times) = 0.

Add, Mult in F 2 k Definition The characteristic of a finite field F q with unity element 1 is the smallest integer n such that 1+ +1 (n times) = 0. What is the characteristic of F 2 k? Of F p k?

Add, Mult in F 2 k Definition The characteristic of a finite field F q with unity element 1 is the smallest integer n such that 1+ +1 (n times) = 0. What is the characteristic of F 2 k? Of F p k? Characteristic = 2 and p, respectively, of course!

Add, Mult in F 2 k Definition The characteristic of a finite field F q with unity element 1 is the smallest integer n such that 1+ +1 (n times) = 0. What is the characteristic of F 2 k? Of F p k? Characteristic = 2 and p, respectively, of course! In F 2 k coefficients reduced modulo 2

Add, Mult in F 2 k Definition The characteristic of a finite field F q with unity element 1 is the smallest integer n such that 1+ +1 (n times) = 0. What is the characteristic of F 2 k? Of F p k? Characteristic = 2 and p, respectively, of course! In F 2 k coefficients reduced modulo 2

Add, Mult in F 2 k Definition The characteristic of a finite field F q with unity element 1 is the smallest integer n such that 1+ +1 (n times) = 0. What is the characteristic of F 2 k? Of F p k? Characteristic = 2 and p, respectively, of course! In F 2 k coefficients reduced modulo 2 α 5 +α 11 = α 3 +α+1+α 3 +α 2 +1 = 2 α 3 +α 2 +α+2 = α 2 +α (as characteristic of F 2 k = 2) = α 13

Add, Mult in F 2 k Definition The characteristic of a finite field F q with unity element 1 is the smallest integer n such that 1+ +1 (n times) = 0. What is the characteristic of F 2 k? Of F p k? Characteristic = 2 and p, respectively, of course! In F 2 k coefficients reduced modulo 2 α 5 +α 11 = α 3 +α+1+α 3 +α 2 +1 = 2 α 3 +α 2 +α+2 = α 2 +α (as characteristic of F 2 k = 2) = α 13 Addition in F 2 k is Bit-vector XOR operation

Add, Mult in F 2 k α 4 α 10 = (α 3 +1)(α 3 +α) = α 6 +α 4 +α 3 +α = α 4 α 2 +(α 4 +α 3 )+α = (α 3 +1) α 2 +(1)+α (as α 4 = α 3 +1) = α 5 +α 2 +α+1 = α 4 α+α 2 +α+1 = (α 3 +1) α+α 2 +α+1 = α 4 +α 2 +1 = α 3 +α 2 Reduce everything (mod P(x) = x 4 +x 3 +1), and 1 = +1 in F 2 k

Every non-zero element has an inverse How to find the inverse of α? HW for you: think Euclidean algorithm! What is the inverse of α in our F 16 example?

Vanishing Polynomials of F q Lemma Let A be any non-zero element in F q, then A q 1 = 1. Theorem [Generalized Fermat s Little Theorem] Given a finite field F q, each element A F q satisfies: A q A or A q A 0 Example Given F 2 2 = {0,1,α,α +1} with P(x) = x 2 +x +1, where P(α) = 0. 0 22 = 0; 1 22 = 1; α 22 = α (mod α 2 +α+1) and (α+1) 22 = α+1 (mod α 2 +α+1)

Irreducible versus Primitive Polynomials An irreducible poly P(x) is primitive if its root α can generate all non-zero elements of the field. F q = {0,1 = α q 1,α,α 2,α 3,...,α q 2 } x 4 +x 3 +1 is primitive but x 4 +x 3 +x 2 +x +1 is not α 4 = α 3 +α 2 +α+1 α 5 = α 4 α = (α 3 +α 2 +α+1)(α) = (α 4 )+α 3 +α 2 +α = (α 3 +α 2 +α+1)+(α 3 +α 2 +α) = 1

Conjugates of α Theorem Let f(x) F 2 [x] be an arbitrary polynomial, and let β be an element in F 2 k for any k > 1. If β is a root of f(x), then for any l 0,β 2l is also a root of f(x). Elements β 2l are conjugates of each other. Example Let F 16 = F 2 [x] (mod P(x) = x 4 +x 3 +1). Let P(α) = 0. Let us find conjugates of α as α 2l. l = 1 : α 2 l = 2 : α 4 = α 3 +1 l = 3 : α 8 = α 3 +α 2 +α l = 4 : α 16 = α (conjugates start to repeat) So α,α 2,α 3 +1,α 3 +α 2 +α are conjugates of each other.

Get the irreducible polynomial back from conjugates Example Over F 16 = F 2 [x] (mod x 4 +x 3 +1), conjugate elements: α,α 2,α 4,α 8 α 3,α 6,α 12,α 24 α 7,α 14,α 28,α 56 α 5,α 10 Minimal Polynomial of an element β Let e be the smallest integer such that β 2e = β. Construct the polynomial f(x) = e 1 i=0 (x +β2i ). Then f(x) is an irreducible polynomial, and it is also called the irreducible polynomial of β.

Get the irreducible polynomial back from conjugates Minimal polynomial of any element β is: f(x) = e 1 i=0 (x +β2i ) Example Over F 16 = F 2 [x] (mod x 4 +x 3 +1), conjugate elements and their minimal polynomials are: α,α 2,α 4,α 8 : f 1 (x) = (x+α)(x +α 2 )(x +α 4 )(x +α 8 ) = x 4 +x 3 +1 α 3,α 6,α 12,α 24 : f 2 (x) = x 4 +x 3 +x 2 +1 α 7,α 14,α 28,α 56 : f 3 (x) = x 4 +x +1 α 5,α 10 : f 4 (x) = x 2 +x +1 Some observations... Note that f 4 = x 2 +x +1 is the polynomial used to construct F 4. Also notice that associated with every element in F 2 k is a minimal polynomial and its roots (conjugates), that demonstrate the containment of fields and also the uniqueness of the fields upto the labeling of the elements.

Containment of fields and elements Figure: Containment of fields: F 2 F 4 F 16 Additive & Multiplicative closure: α 5 +α 10 = 1, α 5 α 10 = 1.

Containment and Closure Theorem F 2 n F 2 m if n divides m. Example: F 2 F 2 2 F 2 4 F 2 8... F 2 F 2 3 F 2 6... F 2 F 2 5 F 2 10... F 2 F 2 7 F 2 14... and so on Algebraic Closure of F q The algebraic closure of F 2 k is the union of ALL such fields F 2 n where k n.

Polynomial Functions over F q Any combinational circuit with k-bit inputs and k-bit output Implements a function f : B k B k Can be viewed as a function f : F 2 k F 2 k or f : Z 2 k Z 2 k Need symbolic representations: view them as polynomial functions Treat the circuit f : B k B k as a polynomial function Please see the last section in my book chapter

Polynomial Functions f : F q F q Every function is a polynomial function over F q Consider 1-bit right-shift operation Z[2 : 0] = A[2 : 0] >> 1 {a 2 a 1 a 0 } A {z 2 z 1 z 0 } Z 000 0 000 0 001 1 000 0 010 α 001 1 011 α+1 001 1 100 α 2 010 α 101 α 2 +1 010 α 110 α 2 +α 011 α+1 111 α 2 +α+1 011 α+1

Polynomial Functions f : F q F q Every function is a polynomial function over F q Consider 1-bit right-shift operation Z[2 : 0] = A[2 : 0] >> 1 {a 2 a 1 a 0 } A {z 2 z 1 z 0 } Z 000 0 000 0 001 1 000 0 010 α 001 1 011 α+1 001 1 100 α 2 010 α 101 α 2 +1 010 α 110 α 2 +α 011 α+1 111 α 2 +α+1 011 α+1 Z = (α 2 +1)A 4 +(α 2 +1)A 2 over F 2 3 where α 3 +α+1 = 0

Polynomial Functions f : F q F q Theorem (From [1]) Any function f : F q F q is a polynomial function over F q, that is there exists a polynomial F F q [x] such that f(a) = F(a), for all a F q. Analyze f over each of the q points, apply Lagrange s interpolation formula q i n F(x) = (x x i) i n (x n x i ) f(x n), (1) n=1

Hardware Applications over F 2 k Elliptic Curve Cryptography y 2 +xy = x 3 +ax 2 +b over GF(2 k ) R Compute Slope: y 2 y 1 x 2 x 1 P Q R = P + Q Computation of inverses over F 2 k is expensive R

Point addition using Projective Co-ordinates Curve: Y 2 +XYZ = X 3 Z +ax 2 Z 2 +bz 4 over F 2 k Let (X 3, Y 3, Z 3 ) = (X 1, Y 1, Z 1 ) + (X 2, Y 2, 1) A = Y 2 Z1 2 +Y 1 B = X 2 Z 1 +X 1 C = Z 1 B D = B 2 (C +az1) 2 Z 3 = C 2 E = A C X 3 = A 2 +D +E F = X 3 +X 2 Z 3 G = X 3 +Y 2 Z 3 Y 3 = E F +Z 3 G No inverses, just addition and multiplication

Multiplication in GF(2 4 ) Input: A = (a 3 a 2 a 1 a 0 ) B = (b 3 b 2 b 1 b 0 ) A = a 0 +a 1 α+a 2 α 2 +a 3 α 3 B = b 0 +b 1 α+b 2 α 2 +b 3 α 3 Irreducible Polynomial: P = (11001) P(x) = x 4 +x 3 +1, P(α) = 0 Result: Output G = A B (mod P(x))

Multiplication over GF(2 4 ) a 3 a 2 a 1 a 0 b 3 b 2 b 1 b 0 a 3 b 0 a 2 b 0 a 1 b 0 a 0 b 0 a 3 b 1 a 2 b 1 a 1 b 1 a 0 b 1 a 3 b 2 a 2 b 2 a 1 b 2 a 0 b 2 a 3 b 3 a 2 b 3 a 1 b 3 a 0 b 3 s 6 s 5 s 4 s 3 s 2 s 1 s 0 In polynomial expression: S = s 0 +s 1 α+s 2 α 2 +s 3 α 3 +s 4 α 4 +s 5 α 5 +s 6 α 6 S should be further reduced (mod P(x))

Multiplication over GF(2 4 ) s 6 s 5 s 4 s 3 s 2 s 1 s 0 s 4 0 0 s 4 s 4 α 4 (mod P(α)) s 5 0 s 5 s 5 s 5 α 5 (mod P(α)) + s 6 s 6 s 6 s 6 s 6 α 6 (mod P(α)) g 3 g 2 g 1 g 0 s 4 α 4 (mod α 4 +α 3 +1) = s 4 (α 3 +1) = s 4 α 3 +s 4 s 5 α 5 (mod α 4 +α 3 +1) = s 5 (α 3 +α+1) = s 5 α 3 +s 5 α+s 5 s 6 α 6 (mod α 4 +α 3 +1) = s 6 (α 3 +α 2 +α+1) = s 6 α 3 +s 6 α 2 +s 6 α+s 6 G = g 0 +g 1 α+g 2 α 2 +g 3 α 3

Montgomery Architecture A B R 2 R 2 MM MM A R B R MM A B R MM "1" G = A B (mod P) Figure: Montgomery multiplier over GF(2 k ) Montgomery Multiply: F = A B R 1, R = α k Barrett architectures do not require precomputed R 1 We can verify 163-bit circuits, and also catch bugs! Conventional techniques fail beyond 16-bit circuits

Verification: The Mathematical Problem Let us take verification of GF multipliers as an example: Given specification polynomial: f : Z = A B (mod P(x)) over F 2 k, for given k, and given P(x), s.t. P(α) = 0 Given circuit implementation C Primary inputs: A = {a 0,...,a k 1 },B = {b 0,...,b k 1 } Primary Output Z = {z 0,...,z k 1 } A = a 0 +a 1 α+a 2 α 2 + +a k 1 α k 1 B = b 0 +b 1 α+ +b k 1 α k 1, Z = z 0 +z 1 α+ +z k 1 α k 1 Does the circuit C correctly compute specification f? Mathematically: Construct a miter between the spec f and implementation C Model the circuit (gates) as polynomials {f 1,...,f s } F 2 k[x 1,...,x d ] Apply Weak Nullstellensatz

Equivalence Checking over F 2 k Circuit1: Circuit Equations X A B X Y 1? Circuit2: Circuit Equations Y Figure: The equivalence checking setup: miter. Spec can be a polynomial f, or a circuit implementation C Model the miter gate as: t(x Y) = 1, where t is a free variable

Verify a polynomial spec against circuit C A Z1 = A B (mod P) Z1 B A Bit level Circuit t(z Z1) = 1 Miter feasible? B Z Figure: The equivalence checking setup: miter. When Z = Z 1, t(z Z 1 ) = 1 has no solution: infeasible miter When Z Z 1 : let t 1 = (Z Z 1 ). Then t (t 1 ) = 1 always has a solution! Apply Nullstellensatz over F 2 k

Example Implementation Circuit: Mastrovito Multiplier over F 4 Figure: A 2-bit Multiplier Write A = a 0 +a 1 α as a polynomial f A : A+a 0 +a 1 α Polynomials modeling the entire circuit: ideal J = f 1,...,f 10 f 1 : z 0 +z 1 α+z; f 2 : b 0 +b 1 α+b; f 3 : a 0 +a 1 α+a; f 4 : s 0 +a 0 b 0 ; f 5 : s 1 +a 0 b 1 ; f 6 : s 2 +a 1 b 0 ; f 7 : s 3 +a 1 b 1 ; f 8 : r 0 +s 1 +s 2 ; f 9 : z 0 +s 0 +s 3 ; f 10 : z 1 +r 0 +s 3 x

Continue with multiplier verification So far, ideal J = f 1,...,f 10 models the implementation Let polynomial f : Z A B denote the spec Miter polynomial f m : t (Z Z 1 ) 1 Update the ideal representation of the miter: J = J + f,f m Finally: ideal J = f 1,...,f 10, f, f m represents the miter circuit J F 2 k[a,b,z,z 1,a 0,a 1,b 0,b 1,r 0,s 0,...,s 3,t] Verification problem: is the variety V F4 (J) =? How will we solve this problem?

Weak Nullstellensatz over F 2 k Theorem (Weak Nullstellensatz over F 2 k) Let ideal J = f 1,...,f s F 2 k[x 1,...,x n ] be an ideal. Let J 0 = x1 2k x 1,...,xn 2k x n be the ideal of all vanishing polynomials. Then: V (J) = V F2 k F (J +J 2 0) = reducedgb(j +J k 0 ) = {1} Proof: V (J) =V F2 k F (J) F 2 k 2 k =V (J) V F2 F (J k 2 k 0) = V (J) V F2 k F (J 2 0) k =V (J +J F2 0) k Remember: V Fq (J 0 ) = V Fq (J 0 ). The variety of J 0 does not change over the field or the closure!

Apply Weak Nullstellesatz to the Miter Note: Word-level polynomials f A : A+a 0 +a 1 α F 2 k Gate level polynomials f 4 : s 0 +a 0 b 0 F 2 Since F 2 F 2 k, we can treat ALL polynomials of the miter, collectively, over the larger field F 2 k, so J F 2 k[a,b,z,z 1,a 0,a 1,...,z 0,z 1 ] Consider word-level vanishing polynomials: A 22 A What about bit-level vanishing polynomials: a 2 0 a 0 So, J 0 = W 2k W,B 2 B, where W are all the word-level variables, and B are all the bit-level variables Now compute G = GB(J +J 0 ). If G = {1}, the circuit is correct. Otherwise there is definitely a BUG within the field F 2 k

[1] R. Lidl and H. Niederreiter, Finite Fields. Cambridge University Press, 1997.

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback